Incident response to Heartbleed (CVE-2014-0160)

By Andrew Fisher on April 9, 2014

As many of our security-conscious readers may already be aware, information was recently released about a vulnerability widely referred to as Heartbleed CVE-2014-0160 in the OpenSSL toolkit, a cryptography library used by AeroFS and countless others across the Internet.

AeroFS has no reason to believe that the attack has been used to compromise the integrity or confidentiality of any of our services or of our users’ data. Even so, due to the hard-to-detect nature of the attack, we’re taking a very broad view of the potential impact and responding with maximal caution.

What is AeroFS doing in response?

AeroFS uses OpenSSL in many ways, and we’ve been working hard to make sure that our users’ data and accounts are kept safe. Specifically:

  • We’ve been busily patching our servers. As of 2014-04-07 20:00 PDT, all of our
    servers have been updated to use a newer, protected version of OpenSSL.
  • We’ve been reissuing SSL keys and certificates for both our public `*.aerofs.com` servers and internal service credentials. As of 2014-04-09 10:00 PDT, all of our servers are using only newly-generated keys and certificates. Additionally, we’ve asked RapidSSL to revoke our old certificates, just to be on the safe side.
  • We’ve rebuilt and released a new version of the AeroFS Hybrid Cloud client with the fixed OpenSSL on 2014-04-08 15:10, which most of our users are already running. AeroFS 0.8.25 and 0.8.26 are both securely patched.
  • We’ve rebuilt and released a new version of the AeroFS Private Cloud appliance with the fixed OpenSSL.
  • We’ve forcibly reset browser sessions that were active prior to 2014-04-09 15:00 PDT.

What can you do?

AeroFS has no reason to believe that the attack has been used to compromise the integrity of any of our services or of our users’ data. Even so, if you want to be extra careful, you can:

  • Make sure you update your AeroFS client to at least release version 0.8.25. AeroFS will update itself automatically, but you can do it manually too.
  • Reset your AeroFS password
  • Double check your list of devices and shared folders for any unexpected devices or users in your shared folders.
  • If you are supremely paranoid, unlink and reinstall each of your devices.

Additionally, if you’re a Private Cloud customer, or administer an AeroFS Private Cloud instance, you should:

  • Reset your Private Cloud password
  • Download and upgrade to the latest appliance (at least version 0.8.27) on your network. Be sure to take down any instances older than 0.8.27: these may still be vulnerable to Heartbleed.
  • Encourage your users to update their AeroFS clients and reset their AeroFS passwords. If you have any questions about our security response, please email us at security@aerofs.com